On 2015-06-10 14:11, Sönke Ludwig wrote:
Getting some of those use cases on a Wiki page or something would be great. There have been some ideas to approach the procedural aspect from a different angle - using procedural DUB plugins that can be invoked from within the declarative build description. This would have the advantage that a lot of information can be gathered about a package without executing procedural code (with the possible accompanying security risks and performance issues or the efforts needed to mitigate those).
Orbit, the package manager I was working on, uses Ruby as the description language. It uses the more traditional way of uploading packages to the registry, basically a ZIP with with a special directory layout with every file necessary to build the package.
With this model it'a straight forward to "compile" the Ruby code to JSON or YAML when building the package locally (same thing can be done with D). On the server side, the registry only needs to read the JSON file to get the metadata of the package. When installing the package it would use the Ruby file again (or JSON description, never got that far), to be able to run pre and post actions. This part shouldn't be any less secure than the current pre/post commands.
-- /Jacob Carlborg
